From owner-freebsd-security  Wed Nov 14 12:52:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail12.speakeasy.net (mail12.speakeasy.net [216.254.0.212])
	by hub.freebsd.org (Postfix) with ESMTP id 23D2737B418
	for <freebsd-security@FreeBSD.ORG>; Wed, 14 Nov 2001 12:52:55 -0800 (PST)
Received: (qmail 425 invoked from network); 14 Nov 2001 20:52:53 -0000
Received: from unknown (HELO laptop.baldwin.cx) ([64.81.54.73]) (envelope-sender <jhb@FreeBSD.org>)
          by mail12.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <gsutter@zer0.org>; 14 Nov 2001 20:52:53 -0000
Message-ID: <XFMail.011114125245.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20011114124932.J35048@klapaucius.zer0.org>
Date: Wed, 14 Nov 2001 12:52:45 -0800 (PST)
From: John Baldwin <jhb@FreeBSD.org>
To: Gregory Sutter <gsutter@zer0.org>
Subject: Re: Adore worm
Cc: freebsd-security@FreeBSD.ORG, Rob Hurle <rob@coombs.anu.edu.au>,
	Stefan Probst <stefan.probst@opticom.v-nam.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On 14-Nov-01 Gregory Sutter wrote:
> On 2001-11-13 09:22 -0800, John Baldwin <jhb@FreeBSD.org> wrote:
>> 
>> It's a rootkit, and your box has been compromised.  Backup your data and
>> reinstall unless someone else has a better idea.
> 
> I'm not sure if this is a better idea, but it does allow remote
> cleanup.  Tell me if I've missed anything.
> 
> 1.  Insert /etc/hosts.allow rules that only allow connections from
>     your IP or subnet.
> 
> 2.  Change your password, and then change your root password.
> 
> 3.  pkg_delete cvsup  # and any variants: cvsup-bin, etc.
>     pkg_add -r cvsup
> 
> 4.  /stand/sysinstall, install a 'minimal' system from an FTP server
>     (to get a clean 'make', 'cc', and libs)

This also will clean out /etc, so you might want to back up certain bits of etc
that you restore later, like the password and group files and rc.conf.

-- 

John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message